Identity Verification, AML/KYC Regulations and Compliance Breaches

By Robert O'Grady, Joseph Beverley
October 26, 2021

Reporting entities such as digital currency exchanges may not be satisfying KYC standards when onboarding new customers and may be in breach of compliance requirements.

There are a lot of acronyms flying around the anti-money laundering and counter-terrorism financing (AML/CTF) space, and it can be a challenge making sure your business is complying with the related (but different) components.

Know Your Customer (KYC) regulations are enforced by different countries at different levels of requirements. Financial Institutions, Digital Lenders, FinTechs and Digital Currency Exchanges need to navigate a robust legal framework. One that’s been put in place to protect financial systems against money laundering threats and the financing of terrorism (ML/TF).

Just last year, AML/KYC fines in Australia and Asia – Pacific increased (quite dramatically!) from $3.5 million to almost $4 billion. It’s clear, anyone entering the digital lending niche should have a strong grasp on the rules and what their business needs to do to stay in the green zone.

The rules can be complicated, but they don’t need to be. We break it and outline what you need to know in Australia to stay compliant.

What is the difference between KYC and AML?

AML (anti-money laundering) is an umbrella term for the range of regulatory processes that must be in place to counter criminals attempting to use services to launder proceeds from criminal activity. KYC (Know Your Customer) processes are a critical element in mitigating ML/TF risks, by identifying a customer prior to providing services, creating a barrier for bad actors. An AML program consists of verifying a customer’s identity and the rules around identity document verification.

Why is it important?

The Australian Transaction Reports and Analysis Centre (AUSTRAC) is the Australian regulatory body that administers the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and associated rules. Under these, reporting entities are required to maintain a robust AML/CTF program, documenting their KYC/AML processes.

The majority of criminal cryptocurrency is laundered via centralised digital currency exchanges with weak AML/CTF programs and processes. In recent years there has been a need for smarter technology to identify individuals, because just taking a photo of a driver’s licence might not be cutting it.

Don’t know if you’re a reporting entity? Try AUSTRAC’s interactive questionnaire.

Knowing your Customer and Identity Verification - What do you actually need for document verification?

Understandably, there might still be a bit of confusion surrounding what level of checks need to be completed to sufficiently KYC a customer through document verification. In this article, we specifically discuss document verification and the misconceptions that may arise potentially putting businesses at risk. In Australia, there is a non-exhaustive list of what constitutes reliable, independent documentation:

a) original primary photographic identification documents;*1

b) original primary non-photographic identification documents; and*2

c) original secondary identification documents.*3

While each of these refers to an original copy of a document, businesses typically need to make their own determination as to what they consider to be reliable and independent documentation for the purposes of verifying KYC information. This can include a variety of factors that helps satisfy the business of document integrity*4.

In the digital space, businesses may typically consider it appropriate to rely on certified copies of documents*5 (rather than originals) and use other technology to determine document authenticity. Separately, businesses may look to rely more on electronic verification (discussed in another article). 

Let’s Talk Biometrics and IDV

Regulatory technology (RegTech) - specifically identity document verification (IDV) - serves as the cornerstone of establishing the integrity and purpose of original documents. This makes opening a bank account, registering on digital currency exchange or engaging in social media possible without presenting physical copies of ID.

IDV uses optical character recognition (OCR) and biometrics to determine the authenticity of the ID and person. However, it does not verify the individual and document against multiple data sources.

IDV has multiple steps in determining ID authenticity, including:

  • Liveliness: does this person look real or is it a photo passing off during the check?  
  • Identity Document: does the ID have the same registered details or are there discrepancies or potentially tampering?
  • Selfies and Facial Matches: does this customer’s face match the document they’re holding or is it another person?


Interesting fact: To determine if a person is in fact real, some IDV technologies take a video when recording or taking a photo of your face or ID. It does this to understand depth, lighting, environment, facial structure (to name a few).

IDV is critical. There is no denying that. Both in the war against ML/TF – it also protects your business and the customer! But it’s not without its shortcomings.

Why IDV & biometrics do not satisfy KYC

Just checking the authenticity of a document may not independently satisfy Australia’s Safe Harbour requirements.  For example, if a digital currency exchange only used IDV tech during their onboarding process, a new customer could use an expired, suspended or foreign ID and register without any problem.

As IDV only checks for the authenticity of the actual document, it does NOT verify the individual against any data sources. This creates the potential of approving fraudulent accounts, politically exposed persons or sanctioned individuals.

Therefore, it is important for businesses to maintain an adaptive process that takes into consideration each risk factor to ensure the business is obtaining appropriately verifiable documentation based on the specific customer and their risk profile.

It’s important to think: “How well do I know my customer?”


For more information on Safe Harbour Verification Procedures click here

For AUSTRAC KYC information visit the AUSTRAC Website here

Need more information? Get in touch

About FrankieOne

Frankie connects to 350+ different vendors and data sources from ID verification, eKYC, AML, fraud monitoring and credit tools, to enable data lead decisioning and a unified “single point of truth”.

We offer one unifying view for compliance, operations, audit and risk. Providing the single point of truth, single view of the customer and with all tools in the same place, our clients experience reduced resolution times, speedier customer onboarding and increased staff productivity.


Footnotes:

*1 For example, domestic or foreign government-issued driving licences/permits, passports, government-issued photographic identification cards and national identity cards.

*2 For example, domestic or foreign government-issued birth certificates, citizenship certificates and concession cards.

*3 For example, domestic government-issued financial benefit statements, official taxation documents, local government or utility provider issued statements and (for individuals under 18 years old) a principal issued statement (each of which must disclose the person's name and residential address).

*4 This may include factors such as being satisfied that the documentation has not expired, whether and in what circumstances the business is prepared to rely upon a copy of a reliable and independent document (instead of an original), in what circumstances the business will take steps to determine whether a document produced has been forged, tampered with, cancelled or stolen, whether an authentication service will be used and whether contact will be initiated with the individual to confirm KYC information.

*5 This means the document has been certified as a true copy of an original document by specific individuals who can validate a document.


Disclaimer: The contents of this article does not constitute legal or compliance advice. It is not intended to be a substitute for legal or compliance advice and should not be relied upon as such. You should seek legal advice or other professional advice in relation to any particular matters you or your organisation may have. The contents of this article are limited to the views of the authors and do not represent the views of their employers.